CVE-2026-10649
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Summary
A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-190: Integer Overflow or Wraparound
Workarounds
Disable the Pacemaker CIB remote listener if it is not actively used. If the listener is required, restrict network access to trusted hosts by configuring firewall rules to limit inbound connections to the remote-port or remote-tls-port. These actions reduce the attack surface by limiting unauthenticated network exposure to the vulnerable component. A restart of the Pacemaker service may be necessary for these changes to be fully applied.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
pacemaker: Pacemaker: Denial of Service via integer overflow in remote message decompression
Additional References
- https://access.redhat.com/security/cve/CVE-2026-10649
- https://bugzilla.redhat.com/show_bug.cgi?id=2462817
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-10649.json
References
- https://access.redhat.com/security/cve/CVE-2026-10649
- https://bugzilla.redhat.com/show_bug.cgi?id=2462817
- https://github.com/clusterLabs/pacemaker/pull/4128
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.